Security Advisory Critical: richfaces security update

Advisory: RHSA-2013:1042-1
Type: Security Advisory
Severity: Critical
Issued on: 2013-07-10
Last updated on: 2013-07-10
Affected Products: JBoss Enterprise Application Platform 5 EL4
JBoss Enterprise Application Platform 5 EL5
JBoss Enterprise Application Platform 5 EL6
CVEs (cve.mitre.org): CVE-2013-2165

Details

Updated richfaces packages that fix one security issue are now available
for Red Hat JBoss Enterprise Application Platform 5.2.0 for Red Hat
Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

RichFaces is an open source framework that adds Ajax capability into
existing JavaServer Faces (JSF) applications.

A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)

The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.

If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:

Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.

Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.

Where possible, it is recommended that Method 1 be followed.

Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.

Warning: Before applying this update, back up your existing Red Hat JBoss
Enterprise Application Platform installation (including all applications
and configuration files).

All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat
Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to take
effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Application Platform 5 EL4

IA-32:
richfaces-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm     MD5: cfa28d47246b886c14d0ced5ff3d9954
SHA-256: bd9e99da8de5147bb223b1926e426b9c9bd062532f5de740605cfddd6d2eb8ab
richfaces-demo-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm     MD5: 7f72557a7e92a0d62f6ddd7a7e79105e
SHA-256: 9b56a1e283c714dc5d41db20df85b1cb7695c5ab09c32dfc6be12746de29b0bb
richfaces-framework-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm     MD5: 5424afa443538d5aca7ced34c1d71157
SHA-256: 37244d3c443be41910caa1c69be17b5102f47e7cd35ecff46a03668cf8a1a554
richfaces-root-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm     MD5: e5c462f3be6aa08409bf4a2de943ee1b
SHA-256: 0f88209db020c58d29304b647a85e1788c6975fd45e7088b34cfa5094c23afb9
richfaces-ui-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm     MD5: 1092a53f8b1d712fa0f4a6ec426ab10e
SHA-256: 4fc646d6ac5e4c1a340b381e235661d39f347b848415eb83f9cee2a361f504b7
 
x86_64:
richfaces-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm     MD5: cfa28d47246b886c14d0ced5ff3d9954
SHA-256: bd9e99da8de5147bb223b1926e426b9c9bd062532f5de740605cfddd6d2eb8ab
richfaces-demo-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm     MD5: 7f72557a7e92a0d62f6ddd7a7e79105e
SHA-256: 9b56a1e283c714dc5d41db20df85b1cb7695c5ab09c32dfc6be12746de29b0bb
richfaces-framework-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm     MD5: 5424afa443538d5aca7ced34c1d71157
SHA-256: 37244d3c443be41910caa1c69be17b5102f47e7cd35ecff46a03668cf8a1a554
richfaces-root-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm     MD5: e5c462f3be6aa08409bf4a2de943ee1b
SHA-256: 0f88209db020c58d29304b647a85e1788c6975fd45e7088b34cfa5094c23afb9
richfaces-ui-3.3.1-11.SP3_patch_01.ep5.el4.noarch.rpm     MD5: 1092a53f8b1d712fa0f4a6ec426ab10e
SHA-256: 4fc646d6ac5e4c1a340b381e235661d39f347b848415eb83f9cee2a361f504b7
 
JBoss Enterprise Application Platform 5 EL5

IA-32:
richfaces-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm     MD5: 6e71f488a6269117d59468c6fee82a0b
SHA-256: ecb3ef313c93a4d159624597ae27a757867b2ea37c0978165366e6a7da602152
richfaces-demo-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm     MD5: c3093f6d2fea7d96705ae07975ba0dd8
SHA-256: b5c77ced9b9782c8095650ff186859ad83db95e43f89f1f03a2c9cbd77fc86a0
richfaces-framework-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm     MD5: 2a13e8961bfe7f5fd1d409031b932df5
SHA-256: d6c371aa9ea6a3b089c83d5dccba3c748cefa2fe1c47f8e6b1dec9b466e7f3a9
richfaces-root-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm     MD5: 8a80e0d4ece5bd25bda8e32b0d05a33f
SHA-256: 63f7f80c2c642f48463992a8fda55dcf061067942caaef5c6bd6ee2feaf4b86a
richfaces-ui-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm     MD5: 2312a2f0e97a92cd9a1d2f339c2a144c
SHA-256: bf5877c3bb18d64e9c7854b59378d343aa88e25df38803ce990e620b67e1ff09
 
x86_64:
richfaces-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm     MD5: 6e71f488a6269117d59468c6fee82a0b
SHA-256: ecb3ef313c93a4d159624597ae27a757867b2ea37c0978165366e6a7da602152
richfaces-demo-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm     MD5: c3093f6d2fea7d96705ae07975ba0dd8
SHA-256: b5c77ced9b9782c8095650ff186859ad83db95e43f89f1f03a2c9cbd77fc86a0
richfaces-framework-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm     MD5: 2a13e8961bfe7f5fd1d409031b932df5
SHA-256: d6c371aa9ea6a3b089c83d5dccba3c748cefa2fe1c47f8e6b1dec9b466e7f3a9
richfaces-root-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm     MD5: 8a80e0d4ece5bd25bda8e32b0d05a33f
SHA-256: 63f7f80c2c642f48463992a8fda55dcf061067942caaef5c6bd6ee2feaf4b86a
richfaces-ui-3.3.1-6.SP3_patch_01.ep5.el5.noarch.rpm     MD5: 2312a2f0e97a92cd9a1d2f339c2a144c
SHA-256: bf5877c3bb18d64e9c7854b59378d343aa88e25df38803ce990e620b67e1ff09
 
JBoss Enterprise Application Platform 5 EL6

SRPMS:
richfaces-3.3.1-3.SP3_patch_01.ep5.el6.src.rpm     MD5: 2b3f0902394ccfc9efab2a401f1f1cd0
SHA-256: bb36271c08cb78bb67b4d2930d8cd5e1fbd461b2764d906fe9485a942b66ba86
 
IA-32:
richfaces-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm     MD5: b7e47432a7cedba27287d876a90f4784
SHA-256: 98489b93d81d3c5f461f4857e3ee7e3fb72f48ce19fef4771f4c0d5dfa972993
richfaces-demo-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm     MD5: 42b6889b3340919807cb785dff357851
SHA-256: 25537f30e6929e63790db47495b6adb7eb2e869e121f9eda15a7c91fc079c640
richfaces-framework-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm     MD5: 71a97f7e83a48e8211c71ca43cf8b0f6
SHA-256: bd9f04edf95bbcdf91921796b3c4193eeb9506db30c4f56d18261384faa6b7ab
richfaces-root-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm     MD5: c8375b10af57fef08c02f9d48c96e1ae
SHA-256: 0df182592b197535e6dbb3e21a2098caf78f2502d07e2d94f3ec51973d44a370
richfaces-ui-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm     MD5: 89da9fc21ea1ca5ad54bc0e655b4e806
SHA-256: 04a506082290a4de270c65af48d966a81954baf1eab290a4fbbf45537906747f
 
x86_64:
richfaces-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm     MD5: b7e47432a7cedba27287d876a90f4784
SHA-256: 98489b93d81d3c5f461f4857e3ee7e3fb72f48ce19fef4771f4c0d5dfa972993
richfaces-demo-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm     MD5: 42b6889b3340919807cb785dff357851
SHA-256: 25537f30e6929e63790db47495b6adb7eb2e869e121f9eda15a7c91fc079c640
richfaces-framework-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm     MD5: 71a97f7e83a48e8211c71ca43cf8b0f6
SHA-256: bd9f04edf95bbcdf91921796b3c4193eeb9506db30c4f56d18261384faa6b7ab
richfaces-root-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm     MD5: c8375b10af57fef08c02f9d48c96e1ae
SHA-256: 0df182592b197535e6dbb3e21a2098caf78f2502d07e2d94f3ec51973d44a370
richfaces-ui-3.3.1-3.SP3_patch_01.ep5.el6.noarch.rpm     MD5: 89da9fc21ea1ca5ad54bc0e655b4e806
SHA-256: 04a506082290a4de270c65af48d966a81954baf1eab290a4fbbf45537906747f
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

973570 - CVE-2013-2165 JBoss RichFaces: Remote code execution due to insecure deserialization


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/